Encryption method based on factorization

ABSTRACT

The present invention relates to an asymmetrical encryption method. The public key is made up of a large composite number n; the private key is made up of the factors of the composite number. The encryption is made up of a number of iterations of individual encryption steps that are successively reversed during the decryption. In this context, the reversal of an individual encryption step requires the solving of a quadratic equation modulo m [sic]. The private key is preferably made up of the large prime numbers p and q. The public key is the product n of these two prime numbers, as well as a comparatively small integer L which is greater than one. The message m is made up of two integral values m 1  and m 2 , thus
 
 m =( m   1 , m 2 ),
 
both values being in the set Z n ={0, 1, 2, . . . , n−1}.
 
     The encryption is accomplished via the equation
 
 c=f   L ( m ).

SUMMARY

The present invention provides a method for encrypting data according toan asymmetrical method, based on a factorization problem, having apublic key and a private key; the public key being the iteration numberL as well as the composite number n, n preferably being the product of aplurality of large prime numbers; the private key is made up of thefactorization of n; the message m=(m₁, m₂) to be encrypted is made up ofat least components m₁ and m₂; an encryption function f(x) is iterated atotal of L times, with c=(c₁, c₂)=f^(L)(m); f(m)=(f₁(m),f₂ (m)) beingapplicable, and f₁=(m₁ op₁ m₂) mod n as well as f₂=(m₁, op₂ m₂) mod n;op₁ being, for example, an addition and op₂ being, for example, amultiplication. The encryption function f(x) is selected in such a waythat the encryption iteration can be reversed by the L-fold solution ofa quadratic equation modulo n, it thus being possible to retrieve theoriginal message from the encrypted information c=(c₁, c₂). In anembodiment, a multivaluedness of the quadratic equation is eliminated byadditional bits of a_(i), and b_(i). In an embodiment, themultivaluedness of the quadratic equation is eliminated by calculating aparity and a Jacobi symbol which, for example, in the case of primenumbers of form 3 mod 4, can be communicated by 2 bits per iterationstep. In an embodiment, general iterations f₁=(k₁·m₁+k₂·m₂) mod n aswell as f₂=(k₃·m₁·m₂) mod n are used, constants being part of the publickey. In an embodiment, the composite number n as public key containsmore than two factors. In an embodiment, the message is now made up ofan N-tuple m=(m₁ . . . ·m_(n)), the formula for the Lth iteration stepusing dependencies of N values in each iteration step. In an embodiment,the multivaluedness is resolved by additional bits that are derived fromthe values obtained in each iteration. In an embodiment, themultivaluedness is resolved by redundancy in the transmitted data.

The present invention provides a method for generating a signature,wherein a signature is generated by interchanging the encryption anddecryption steps from one or more of the method embodiments describedherein. The present invention provides a software for a computer whichimplements one or more of the method embodiments described herein. Thatis, the software is instructions configured to be executed by thecomputer; the instructions which, when executed by the computer, causethe performance of one or more of the method embodiments describedherein. The present invention provides for a data carrier for acomputer, characterized by the storage of software for the computerwhich implements one or more of the method embodiments described herein.

DETAILED DESCRIPTION

The present invention relates to an asymmetrical and public encryptionmethod. In particular, the invention relates to a method for encryptingdata on the basis of the factorization problem. In this context, thedecryption of encrypted data is as complex as the problem of findinglarge prime divisors of large numbers. In detail, in the presentinvention, quadratic equations are to be solved for the decryption.

Encryption methods are used to protect data from unauthorized accesswhen stored or during transmission over insecure communication channels.In so doing, the data are changed in such a way that this change cannotbe undone without knowledge of a specific key. Encryption methods may besubdivided into the categories of asymmetrical and symmetrical. Insymmetrical methods, the same key is used both for encryption and fordecryption. Asymmetrical methods have two different keys, of which oneis used for encryption and the other for decryption. In this context,all users can know the encryption key, whereas the decryption key mustbe kept secret. Therefore, the encryption key is also known as thepublic key, and the decryption key as the private key. Book [1]according to the literature list, for example, offers an overview ofmodern encryption methods.

The methods of Rabin ([3]) and Williams ([6]), which likewise utilizequadratic equations, are known. However, in these methods, only half thedata bits is sent per transmission. Corresponding complexityrestrictions thereby arise, and a greater demand for computing powerduring the encryption and the decryption.

Using polynomials of the second degree, the method of Schwenk andEisfeld ([5]) offers little security against attacks which takeadvantage of the dependencies of message parts m₁ and m₂ on one another.

The objective is achieved by an invention having the features delineatedin the independent claims. An asymmetrical encryption method is therebydescribed based on the factorization problem. It has less complexitythan the RSA method in the encryption, and is able to transmit more databits per encryption than the Rabin method or Williams method.

As already described above, the present invention concerns anasymmetrical encryption method. The public key is made up of a largecomposite number n; the private key is made up of the factors of thecomposite number. The encryption is made up of a number of iterations ofindividual encryption steps that are successively reversed during thedecryption. The reversal of an individual encryption step requires thesolving of a quadratic equation modulo n (see below). Such a quadraticequation can only be easily solved if the factors of n are known.

The private key is preferably made up of the large prime numbers p andq. The public key is the product n of these two prime numbers, as wellas a comparatively small integer L which is greater than one. Message mis made up of two integral values m₁ and m₂, so thatm=(m₁, m₂),both values lying in the set Z_(n)={0, 1, 2, . . . , n−1}.

The encryption is accomplished via the equationc=f ^(L)(m)

In the present case, encrypted value c is likewise made up of a doubletuple of integers from Z_(n), that is, c=(c₁, c₂).

Function f^(L)(m) is recursively defined byf ^(j+1)(m)=f(f ^(j)(m)).For j=1, f¹(m)=f(m)=(f₁(m), f₂(m)) applies, wheref ₁(m)=m ₁ +m ₂ mod nf ₂(m)=m ₁ ·m ₂ mod n.

The encrypted text is therefore obtained by the recursionsa _(i+1) =a _(i) +b _(i) mod n  (1)b _(i+1) =a _(i) ·b _(i) mod n.  (2)with the starting values a₀=m₁, b₀=m₂ and the final values c₁=a_(L),c₂=b_(L).

For the decryption, one must be able to reverse the recursion. This isaccomplished by solving the above equations for a_(i) and b_(i). Oneimmediately obtains the quadratic equationz ² −a _(i+1) ·z+b _(i+1)=0 mod n,  (3)which has a_(i) and b_(i) as solutions. The problem of the furthersolutions of equation (3) will be discussed later. If n is the productof very large prime numbers, then the solution of quadratic equationswithout knowledge of the prime factors is presumably a very difficultproblem. With knowledge of the prime factors, however, this is possiblewithout difficulty. The current methods for taking the root modulo n aredescribed in detail in [2].

To ensure the security of the encryption system, the recursion must beperformed at least twice, since otherwise, if it is performed exactlyone time, the message parts m₁ and m₂ enter in linear fashion into theterm a₁=m₁+m₂.

Another important aspect is the selection of the correct roots for thedecryption.

If the number n contains exactly two prime factors p and q, equation (3)has four solutions. With a few bits for each a_(i), i=1, 2, . . . , L,the sender is able to eliminate multivaluedness for the legitimatereceiver. To resolve the multivaluedness, for example, error detectioncharacters or parity characters may in each case be derived from a_(i).

In the most favorable case, 2 bits per iteration step are needed tocompletely resolve the multivaluedness in each step. The 4 solutions ofequation (3) are given by

$\begin{matrix}{{z_{i_{1,2,3,4}} = {\frac{a_{i + 1}}{2} + {w_{i_{1,2,3,4}}{mod}\mspace{14mu} n}}}{where}{w_{i_{1,2,3,4}} = {\sqrt{{a_{i + 1}^{2}/4} - b_{i + 1}}{mod}\mspace{14mu} n}}} & (4)\end{matrix}$are the four square roots of the above expression modulo n.

The four values are connected as follows:w _(i) ₁ =−w _(i) ₂ mod n and w ₁ ₃ =−w _(i) ₄ mod n

We select the parity (even, odd) of the four roots so thatw_(i) _(1,3) =even and w_(i) _(2,4) =odd

One particularly elegant solution making it possible to differentiateall four roots from one another is as follows for p≡q≡3 mod 4:

In addition to parity, the so-called Jacobi symbol (w_(i)/n) is used asa further discriminant criterion (for theory and efficient calculation,see, for example, [2]). For non-trivial values of w_(i), as are neededin the decryption, the Jacobi symbol supplies the value 1 or −1. TheJacobi symbol can be calculated with expenditure O(log² n).

The parity and the Jacobi symbol are sufficient for precisely selectingone of the four roots w_(i) _(1,2,3,4) . The parity and the Jacobisymbol are able to be coded using 2 bits. By appending these two bits ineach of the L iteration steps, the legitimate receiver is given theability to reverse the L iteration steps.

The root leading to solution a_(i) in equation (4) is designated byw_(i), thus, a_(i)=a_(i+1)/2+w_(i) mod n. The parity and the Jacobisymbol are each specified with respect to this root. With theestablishment of the value of a_(i), the value for b_(i) then followsimmediately as b_(i)=a_(i+1)−a_(i) mod n. In summary, one thus obtainsa _(i) =a _(i+1)/2+w _(i) mod n  (5)b _(i) =a _(i+1)/2−w _(i) mod n.  (6)

In the encryption, at each step, from the number pair (a_(i), b_(i)),the pair (a_(i+1), b_(i+1)) is calculated, as well as the parity and theJacobi symbol of wi=(a_(i)−a_(i+1)/2) mod n.

With knowledge of the factorization, these steps can each be reversed bysolving√{square root over (a_(i+1) ²/4−b _(i+1))}mod n,parity and Jacobi symbol of this root being represented.

Another important aspect is the parameter selection. At present,realistic orders of magnitude for each of the two prime numbers are fromapproximately 510 bits, i.e., n has a length of approximately 1020 bits.For L, a magnitude O(log log n) is recommended; for n of 1000 bits, avalue of approximately 3-10.

The bit lengths to be selected in the future may be oriented to theparameters of the RSA method.

An advantage of the method presented here is that the quantity of usefuldata is twice as great as in comparable methods.

Using standard algorithms, an encryption complexity of O(L log² n) isreached, if one calculates the expenditure for a multiplication usingO(log²n). When using current algorithms, one must reckon with anexpenditure of O(L log³ n) for the decryption complexity. If an order ofmagnitude of O(log log n) is selected for L, a time advantage (inaddition to the greater useful-data rate) results for the encryptioncompared to the RSA method.

As in the case of the Rabin method and Williams method, care must betaken in the implementation that, in each case, only the correct rootsof equation (3) exit the decoder during the decryption, since otherwisethe number n can be factored.

In another refinement, as in the RSA method, module [sic] n may alsocontain more than two large prime factors. Naturally, the number ofsolutions for equation (3) also increases accordingly.

A further generalization is achieved by introducing additional constantsin the recursion:a _(i+1) =k ₁ ·a _(i) +k ₂ ·b _(i) mod nb _(i+1) =k ₃ ·a _(i) ·b _(i) mod n,which are made known as part of the public key. The decoding isperformed in correspondingly modified form.

In another specific embodiment, the magnitude of the tuple is altered.Instead of working with double tuples m=(m₁, m₂), it is also possible towork with q tuples. In the following, the expansion based on tripletuples is illustrated. The message is now made up of the triple tuplem=(m ₁ ,m ₂ ,m ₃)

The formula for the Lth iteration step is stillf ^(j+1)(m)=f(f ^(j)(m)),the basic iteration f¹(m)=(f₁(m),f₂(m),f₃ (m)), however, being formed asfollows:f ₁(m)=m ₁ +m ₂ +m ₃ mod nf ₂(m)=m ₁ ·m ₂ +m ₁ ·m ₃ +m ₂ ·m ₃ mod nf ₃(m)=m ₁ ·m ₂ ·m ₃ mod n.

The inverse calculation is accomplished by solving a third-degreeequation. The roots may again be discriminated by information (paritysymbol, Jacobi symbol, etc.) derived accordingly from the interimresults. The expansion to degrees greater than or equal to four may beaccomplished in analogous manner. In the iteration, essentially theelementary-symmetric Newtonian terms must be considered, to whichadditional constants, as already described above, may be added.

In the following, the method of the present invention is elucidated inlight of an example. For reasons of clarity, the numbers in thefollowing are selected to be very small. Let us say n=8549=p·q, with theprivate prime numbers p=83 and q=103. Let us assume the number ofiterations L=3, and the message to be encrypted is given by m=(m₁,m₂)=(123,456). Even parity is coded by a zero, uneven parity by a one.Parity bit b_(p) is used for this. If the Jacobi symbol is equal to one,a one is coded, if it is equal to minus one, a zero is coded. Jacobi bitb_(J) is used for this.

The following values are obtained(a₀, b₀)=(123,456)(a₁, b₁)=(579,4794)(a₂, b₂)=(5373,5850)(a₃, b₃)=(2674,5926)

To each of the three pairs (a₁, b₁), (a₂, b₂) and (a₃, b₃), L·2 bits ofparity bits and Jacobi bits, given in the example by the followingbinary vector (b_(P) ₃ ,b_(J) ₃ , b_(P) ₂ ,b_(J) ₂ ,b_(P) ₁ ,b_(J) ₁)=(0,0,1,1,0,1), are also added.

Initially, the receiver determines the four roots w₂ _(1,2,3,4)=1629,4036,4513,6920. Based on b_(P) ₃ =0, the receiver recognizes thatthe correct root is even. Thus, only 4036 and 6920 remain. Of these(4036/8549)=−1 and (6920/8549)=1. b_(J) ₃ =0 implies that 4036 is thecorrect selection. An analogous procedure leads to the completedecryption.

In certain application cases, e.g. when the unencrypted message mcontains redundancy, it is possible to dispense with the co-transmissionof the bits for resolving the multivaluedness. For example, this is thecase for normal texts or when a so-called hash value was already placedin m. However, this is done at a decryption expenditure increased by afactor of 4^(L). Corresponding compromises are likewise possible; forexample, the specification of only the parity in each of the L stepsreduces the number of bits to be co-transmitted to L bits, and increasesthe decryption expenditure by the factor 2^(L).

As in the asymmetrical methods known in the literature ([1], [3], [4],[5]), a so-called digital signature method may be attained essentiallyby the interchange of encryption operations and decryption operations inthe proposed method as well.

In embodiments of the present invention, a data carrier for a computeris provided. The data carrier being a software storage device.

LIST OF THE CITED LITERATURE

-   [1] A. J. Menezes, P. C. van Oorschot, S. A. Vanstone, “Handbook of    Applied Cryptography”, CRC Press, 1996.-   [2] E. Bach, J. Shallit, “Algorithmic Number Theory”, Vol. 1,    Efficient Algorithms, The MIT Press, Cambridge, Mass., 1996.-   [3] M. O. Rabin, “Digitalized Signatures and Public-Key Functions as    [sic] intractable as Factorization”, MIT/LCS/TR-212, 1979.-   [4] R. L. Rivest, A. Shamir, L. Adleman, “A Method for Obtaining    Digital Signatures and Public Key Cryptosystems”, Communications of    the ACM, Vol. 21 No. 2, pp. 120-126, February 1978.-   [5] J. Schwenk, J. Eisfeld, “Public Key Encryption and Signature    Schemes based and [sic] Polynomials over Z_(n),”, Eurocrypt 1996,    LNCS 1070, Springer-Verlag Berlin Heidelberg 1996.-   [6] H. Williams, “A Modification of the RSA Public-Key Equation    Procedure”, IEEE Transactions on Information Theory, Vol. IT-26, No.    6, November 1980.

1. A method for encrypting data according to an asymmetrical methodusing a processor, based on a factorization problem, comprising:providing a public key to the processor; and providing a private key tothe processor; wherein the public key includes composite number n; theprivate key is made up of the factorization of n; a message m=(m₁, m₂)to be encrypted is made up of at least components m₁ and m₂; anencryption function f(x) is iterated a total of L times, with c=(c₁,c₂)=f^(L)(m), c₁, and c₂ being integral numbers; f(m)=(f₁(m),f₂ (m))being applicable, and f₁=(m₁ op₁ m₂) mod n as well as f₂=(m₁, op₂ m₂)mod n; the encryption function f(x) being selected in such a way thatthe encryption iteration can be reversed by the L-fold solution of aquadratic equation modulo n, it thus being possible to retrieve theoriginal message from the encrypted information c=(c₁, c₂), wherein amultivaluedness of the quadratic equation is eliminated by additionalbits of a_(i)and b_(i) to obtain a set of roots and by calculating aparity and a Jacobi symbol which, in the case of prime numbers of form 3mod 4, can be communicated by 2bits per iteration step.
 2. The method ofclaim 1, wherein general iterations f₁=(k₁·m₁+k₂·m₂)mod n as well asf₂=k₃·m₁·m₂ mod n are used, constants being part of the public key. 3.The method of claim 1, wherein the composite number n as public keycontains more than two factors.
 4. The method of claim 1, wherein themessage is now made up of an N-tuple m=(m₁ . . . m_(N)), the formula forthe Lth iteration step using dependencies of N values in each iterationstep.
 5. The method of claim 4, wherein the multivaluedness is resolvedby additional bits that are derived from the values obtained in eachiteration.
 6. The method of claim 1, wherein the multivaluedness isresolved by redundancy in the transmitted data.
 7. The method of claim1, wherein n is a product of a plurality of large prime numbers.
 8. Themethod of claim 7, wherein op₁ is an addition and op₂ is amultiplication.
 9. The method of claim 1, wherein op₁ is an addition andop₂ is a multiplication.
 10. A method for generating a signature using aprocessor, comprising: generating using the processor a signature byinterchanging the encryption and decryption steps, including functionsfor encrypting data according to an asymmetrical method, based on afactorization problem, having a public key and a private key; whereinthe public key includes a composite number n; the private key being madeup of the factorization of n; a message m=(m₁, m₂) to be encrypted ismade up of at least components m₁ and m₂; an encryption function f(x) isiterated a total of L times, with c=(c₁, c₂)=f^(L)(m);f(m)=(f₁(m),f₂(m)) being applicable, and f₁=(m₁op₁m₂) mod n as well asf₂=(m₁, op₂m₂)mod n; the encryption function f(x) being selected in sucha way that the encryption iteration can be reversed by the L-foldsolution of a quadratic equation modulo n, it thus being possible toretrieve the original message from the encrypted information c=(c₁, c₂),c₁ and c₂ being integral numbers; wherein a multivaluedness of thequadratic equation is eliminated by additional bits of a_(i) and b_(i)to obtain a set of roots and by calculating a parity and a Jacobi symbolwhich, in the case of prime numbers of form 3 mod 4, can be communicatedby 2 bits per iteration step.
 11. The method of claim 10, wherein n is aproduct of a plurality of large prime numbers, and op₁ is an additionand op₂ is a multiplication.
 12. A data carrier storage for a computer,comprising: storage of a software for the computer, the software beinginstructions configured to be executed by the computer, the instructionswhich, when executed by the computer, cause the performance of functionsfor encrypting data according to an asymmetrical method, based on afactorization problem, having a public key and a private key; whereinthe public key includes a composite number n, the private key being madeup of the factorization of n; a message m=(m₁, m₂) to be encrypted ismade up of at least components m₁ and m₂; an encryption function f(x) isiterated a total of L times, with c=(c₁, c₂)=f^(L)(m);f(m)=(f₁(m),f₂(m)) being applicable, and f₁=(m₁, op₁m₂) mod n; theencryption function f(x) being selected in such a way that theencryption iteration can be reversed by the L-fold solution of aquadratic equation modulo n, it thus being possible to retrieve theoriginal message from the encrypted information c=(c₁, c₂), c₁, and c₂being integral numbers; wherein a multivaluedness of the quadraticequation is eliminated by additional bits of a_(i) and b_(i) to obtain aset of roots and by calculating parity and a Jacobi symbol which, in thecase of prime numbers of form 3mod 4, can be communicated by 2 bits periteration step.
 13. The method of claim 12, wherein n is a product of aplurality of large prime numbers, and op₁ is an addition and op₂ is amultiplication.
 14. A computer system, comprising: a device thatexecutes a method, the method having software for a computer, comprisingfunctions for encrypting data according to an asymmetrical method, basedon a factorization problem, having a public key and a private key;wherein the public key includes a composite number n, the private keybeing made up of the factorization of n; a message m=(m₁, m₂) to beencrypted is made up of at least components m₁ and m₂; an encryptionfunction f(x) is iterated a total of L times, with c=(c₁, c₂)=f^(L)(m);f(m)=(f₁(m),f₂(m)) being applicable, and f₁=(m₁, op₁ m₂) mod n as wellas f₂=(m₁ op₂ m₂) mod n; the encryption function f(x) being selected insuch a way that the encryption iteration can be reversed by the L-foldsolution of a quadratic equation modulo n, it thus being possible toretrieve the original message from the encrypted information c=(c₁, c₂),c₁, and c₂ being integral numbers; wherein a multivaluedness of thequadratic equation is eliminated by additional bits of a_(i) and b_(i)to obtain a set of roots and by calculating a parity and a Jacobisymbol, in the case of prime numbers of form 3mod 4, can be communicatedby 2 bits per iteration step.
 15. The method of claim 14, wherein n is aproduct of a plurality of large prime numbers, and op₁ is an additionand op₂ is a multiplication.